In today’s ever-evolving business landscape, organizations face diverse risks, including cyber risks, that can significantly affect their operations and overall prosperity. Aligning risk management strategies with organizational objectives is crucial for effectively mitigating these potential threats and fostering sustainable growth. Easier said than done.
In this Say Easy, Do Hard segment, we discuss the challenges of aligning security and risk to the business, a topic we discuss often on the show. But this time, we do the hard part, by defining Objectives and Key Results aligned to Business Goals.
Show Notes: https://securityweekly.com/bsw-393
Join us for a special in-person edition of the Security Weekly News!
Show Notes: https://securityweekly.com/swn-472
In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons.
But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the importance of designing systems to serve users and consider what it means to have a secure design with a poor UX. As we talk about the strategy and tactics of secure design, we share why framing this as a challenge in preventing dangerous errors can help devs make practical engineering decisions that improve appsec for everyone.
Resources
Show Notes: https://securityweekly.com/asw-328
As organizations embrace hybrid work, SaaS sprawl, and employee-owned devices, traditional Identity and Access Management (IAM) tools are failing to keep up. The rise of shadow IT, unmanaged applications, and evolving cyber threats have created an "Access-Trust Gap", a critical security challenge where IT lacks visibility and control over how employees access sensitive business data.
In this episode of Security Weekly, Jeff Shiner, CEO of 1Password, joins us to discuss the future of access management and how organizations must move beyond traditional IAM and MDM solutions. He’ll explore the need for Extended Access Management, a modern approach that ensures every identity is authentic, every device is healthy, and every application sign-in is secure, including the unmanaged ones. Tune in to learn how security teams can bridge the Access-Trust Gap while empowering employees with frictionless security.
Show Notes: https://securityweekly.com/esw-404
In this week's enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-404
In this topic segment, we discuss the most interesting insights from the 2025 edition of Verizon's DBIR.
You can grab your own copy of the report at https://verizon.com/dbir
Show Notes: https://securityweekly.com/esw-404
Beating the AI Game, Ripple (not that one), Numerology, Darcula, Special Guests, and More, on this edition of the Security Weekly News.
Special Guests from Hidden Layer to talk about this article: https://www.forbes.com/sites/tonybradley/2025/04/24/one-prompt-can-bypass-every-major-llms-safeguards/
Show Notes: https://securityweekly.com/swn-471
The crosswalk is talking to me man!, don't block my website without due process, Florida is demanding encryption backdoors, attacking boilers and banning HackRF Ones, time to update your flipper zero, using AI to create working exploits, what happens when you combine an RP2350 and an ESP32? Hopefully good hackery things!, more evidence that patching is not enough, auditing the PHP source code, reading the MEGA advisories, threat actors lie about data breaches (you don't say?), the data breach that Hertz, CISA warns of ransomware, some can't get Ahold of data breaches, please don't let people take control of your PC over Zoom and Paul's hot takes on: 4chan hack, the CVE program, and Microsoft Recall!
Show Notes: https://securityweekly.com/psw-871
AI Governance, the next frontier for AI Security. But what framework should you use? ISO/IEC 42001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS) within organizations. It is designed for entities providing or utilizing AI-based products or services, ensuring responsible development and use of AI systems. But how do you get certified? What's the process look like?
Martin Tschammer, Head of Security at Synthesia, joins Business Security Weekly to share his ISO 42001 certification journey. From corporate culture to the witness audit, Martin walks us through the certification process and the benefits they have gained from the certification. If you're considering ISO 42001 certification, this interview is a must see.
In the leadership and communications section, Are 2 CEOs Better Than 1? Here Are The Benefits and Drawbacks You Must Consider, CISOs rethink hiring to emphasize skills over degrees and experience, Why Clear Executive Communication Is a Silent Driver of Organizational Success, and more!
Show Notes: https://securityweekly.com/bsw-392
Brains, Scams, Elusive Comet, AI Scams, Microsoft Dog Food, Deleting Yourself, Josh Marpet, and more on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-470
Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure.
Segment Resources:
Show Notes: https://securityweekly.com/asw-327
In the enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-403
In this interview, we're excited to speak with Pravi Devineni, who was into AI before it was insane. Pravi has a PhD in AI and remembers the days when machine learning (ML) and AI were synonymous. This is where we'll start our conversation: trying to get some perspective around how generative AI has changed the overall landscape of AI in the enterprise.
Then, we move on to the topic of AI safety and whether that should be the CISO's job, or someone else's.
Finally, we'll discuss the future of AI and try to end on a positive or hopeful note!
Show Notes: https://securityweekly.com/esw-403
What a time to have this conversation! Mere days from the certain destruction of CVE, averted only in the 11th hour, we have a chat about vulnerability management lifecycles. CVEs are definitely part of them.
Vulnerability management is very much a hot mess at the moment for many reasons. Even with perfectly stable support from the institutions that catalog and label vulnerabilities from vendors, we'd still have some serious issues to address, like:
Oh, did we mention Matt built an open source vuln scanner?
Show Notes: https://securityweekly.com/esw-403
HR Chatbots, MITRE, 4chan, Oracle, Identity, Port 53, NTLM, Zambia, Josh Marpet, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-469
Govt Unravelling, AI Hijinx, Bot Chaos, Recall, Oracle, Slopesquatting, Tycoon 2FA, College, who knows, a lot more... On Paul's Security Weekly.
Show Notes: https://securityweekly.com/psw-870
Zero Trust isn't a new concept, but not one easily implemented. How do organizations transform cybersecurity from a "default allow" model, where everything is permitted unless blocked, to a "default deny" model?
Danny Jenkins, Co-founder and CEO at ThreatLocker, joins Business Security Weekly to discuss this approach. Deny by default means all actions are blocked by default, with only explicitly approved activities allowed. This shift enhances security, reduces vulnerabilities, and sets a new standard for protecting organizations from cyber threats. Danny will discuss how ThreatLocker not only protects your endpoints and data from zero-day malware, ransomware, and other malicious software, but provides solutions for easy onboarding, management, and eliminates the lengthy approval processes of traditional solutions.
This segment is sponsored by ThreatLocker. Visit https://www.securityweekly.com/threatlocker to learn more about them!
In the leadership and communications section, Bridging the Gap Between the CISO & the Board of Directors, CISO MindMap 2025: What do InfoSec Professionals Really Do?, How to Prevent Strategy Fatigue, and more!
Show Notes: https://securityweekly.com/bsw-391
QUBIT AI, Recall This, Defender, Tycoon, Slopsquatting, Feng Mengleng, Aaran Leyland, and more, on the Security Weekly News.
Show Notes: https://securityweekly.com/swn-468
The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems.
Resources
In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more!
Show Notes: https://securityweekly.com/asw-326
In the enterprise security news,
All that and more, on this episode of Enterprise Security Weekly.
Show Notes: https://securityweekly.com/esw-402
Default deny is an old, and very recognizable term in security. Most folks that have been in the industry for a long time will associate the concept with firewall rules. The old network firewalls, positioned between the public Internet and private data centers, however, were relatively uncomplicated and static. Most businesses had a few hundred firewall rules at most.
The idea of implementing default deny principles elsewhere were attempted, but without much success. Internal networks (NAC), and endpoints (application control 1.0) were too dynamic for the default deny approach to be feasible. Vendors built solutions, and enterprises tried to implement them, but most gave up.
Default deny is still an ideal approach to protecting assets and data against attacks - what it needed was a better approach. An approach that could be implemented at scale, with less overhead. This is what we’ll be talking to Threatlocker’s CEO and co-founder, Danny Jenkins, about on this episode. They seemed to have cracked the code here and are eager to share how they did it.
This segment is sponsored by ThreatLocker. Visit https://www.securityweekly.com/threatlocker to learn more about them!
Show Notes: https://securityweekly.com/esw-402
We wanted security data? We got it! Now, what the heck do we DO with all of it?
The core challenge of security operations, incident response, and even compliance is still a data management and analysis problem. Which is why we’re seeing companies like Abstract Security pop up to address some of these challenges.
Abstract just released a comprehensive eBook on security data strategy, linked below, and you don’t even need to give up an email address to read it! In this interview, we’ll talk through some of the highlights:
Segment Resources
Show Notes: https://securityweekly.com/esw-402
Win95, Shuckworm, Ottokit, DCs, EC2, IAB, OSS, Recall, Josh Marpet, and More, on this edition of the Security Weekly News.
Show Notes: https://securityweekly.com/swn-467
In the security news this week: You should really just patch things, the NVD backlog, Android phones with malware pre-installed, so convenient, keyloggers and a creepy pharmacist, snooping on federal workers, someone stole your browser history, NSA director fired, deputy director of NSA also fired, CrushFTP the saga continues, only steal the valid credit cards, another post that vanished from the Internet, hiding in NVRAM, protecting the Linux kernel, you down with MCP?, more EOL IoT, bypassing kernel protections, when are you ready for a pen test, red team and bug bounty, what EDR is really missing, and based on this story you should just patch everything all the time!
Show Notes: https://securityweekly.com/psw-869
This week, it's double AI interview Monday!
In our first interview, we discuss how to balance AI opportunities vs. risk. Artificial Intelligence (AI) has the potential to revolutionize how businesses operate. But with this exciting advancement comes new challenges that cannot be ignored. For proactive security and IT leaders, how do you balance the need of security and privacy in AI with the opportunities that come with accelerating adoption?
Matt Muller, Field CISO at Tines, joins Business Security Weekly to discuss the unprecedented challenges facing Chief Information Security Officers (CISOs) and approaches to mitigate AI's security and privacy risks. In this interview, we'll discuss ways to mitigate AI's security and privacy risks and strategies to help ease AI stress on security teams.
Segment Resources: - https://www.tines.com/blog/cisos-report-addressing-ai-pressures/ - https://www.tines.com/blog/ai-enterprise-mitigate-security-privacy-risks/
In our second interview, we dig into the challenges of securing Artificial Intelligence. Are you being asked to secure AI initiatives? What questions should you be asking your developers or vendors to validate security and privacy concerns?
Who better to ask than Summer Fowler, CISO at Torc Robotics, a self-driving trucking company. Summer will guide us on her AI security journey to help us understand:
Show Notes: https://securityweekly.com/bsw-390